HIPAA Compliance and OBS Online Backup

HIPAA Compliance and OBS Online Backup
HIPAA Compliance and
OBS Online Backup
© 2006 GMx Solutions, LLC. All rights reserved.
Powered by GMx Technologies, Inc.
Phone: 813-868-1105
Table of Contents
Table of Contents__________________________________________________ 2
HIPAA Compliance and the Office Backup Solutions™___________________ 3
Introduction___________________________________________________________ 3
More about the HIPAA Security Rule ______________________________________ 3
HIPAA Security Rule and Electronic Data Backup ___________________________ 4
Office Backup Solutions OBS________________________________________ 5
HIPAA Compliance and OBS Online Backup________________________________ 5
OBS Security and Encryption ____________________________________________ 6
OBS Logging and Archiving _____________________________________________ 7
Backing Up and Restoring with OBS ______________________________________ 7
OBS Feature and Benefits Summary ______________________________________ 8
For more information about OBS, please visit our website or contact us ________ 9
© 2006 GMx Solutions, LLC. All rights reserved.
Powered by GMx Technologies, Inc.
Phone: 813-868-1105
HIPAA Compliance and the Office Backup Solutions™
In 1996, Congress passed the Health Insurance Portability and Accountability Act
("HIPAA"). HIPAA was designed to reduce the administrative costs of healthcare, to
promote the confidentiality and portability of patient records, to develop standards
for consistency in the health care industry, and to provide an incentive for electronic
HIPAA applies to any health care providers, health plans and clearinghouses
(collectively "Covered Entities") that electronically maintain or transmit health
information pertaining to individuals. Covered Entities must have appropriate
measures that address the physical, technical and administrative components of
patient data privacy.
With the exception of small health plans, all Covered Entities must have data
security standards in place by April 21, 2005, when the Standards for the Security
of Electronic Protected Health Information (the "Security Rule") of HIPAA goes into
effect for most health care providers. Small health plans are exempted until April 21,
2006. The Security Rule requires health care providers to put in place certain
administrative, physical and technical safeguards for electronic patient data.
Among other things, Covered Entities will be required to have a Data Backup Plan,
a Disaster Recovery Plan, and an Emergency Mode Operation Plan.
Fortunately, there is a simple and affordable way to meet many of these security
and contingency requirements: Office Backup Solutions™.
More about the HIPAA Security Rule
The Security Rule applies to electronic protected health information either
transmitted by electronic media or maintained in electronic media. Covered entities
that maintain or transmit protected health information are required by the Security
Rule (see 45 C.F.R. §164.306) to:
1. Ensure the confidentiality, integrity, and availability of all electronic protected
health information the covered entity creates, receives, maintains, or
2. Protect against any reasonably anticipated threats or hazards to the security
or integrity of such information.
3. Protect against any reasonably anticipated uses or disclosures of such
© 2006 GMx Solutions, LLC. All rights reserved.
Powered by GMx Technologies, Inc.
Phone: 813-868-1105
information that are not permitted or required under subpart E of this part.
4. Ensure compliance with this subpart by its workforce.
According to the HIPAA regulations, Covered Entities are allowed to use a
flexible approach when implementing the above requirements.
1. Covered entities may use any security measures that allow the covered entity
to reasonably and appropriately implement the standards and
implementation specifications as specified in this subpart.
2. In deciding which security measures to use, a covered entity must take
into account the following factors:
The size, complexity, and capabilities of the covered
The covered entity's technical infrastructure, hardware,
and software security capabilities.
The costs of security measures.
The probability and criticality of potential risks to electronic
protected health information.
The Security Rule is further detailed through 18 technical standards and 36
implementation specifications. These standards and specifications are classified
into four categories: administrative safeguards, physical safeguards, technical
safeguards and organizational requirements.
HIPAA Security Rule and Electronic Data Backup
A number of the Security Rule's standard and specifications apply to the backup
and safekeeping of electronic data. Covered Entities must have a contingency plan
Establish (and implement as needed) policies and procedures for responding
to an emergency or other occurrence (for example, fire, vandalism, system
failure, and natural disaster) that damages systems that contain electronic
protected health information (Administrative Safeguards - §164.308(a)(7)(i)).
This contingency plan must be implemented as follows:
Data backup plan (Required). Establish and implement procedures to create and
© 2006 GMx Solutions, LLC. All rights reserved.
Powered by GMx Technologies, Inc.
Phone: 813-868-1105
maintain retrievable exact copies of electronic protected health information.
(A) Disaster recovery plan (Required). Establish (and implement as
needed) procedures to restore any loss of data.
(B) Emergency mode operation plan (Required). Establish (and implement
as needed) procedures to enable continuation of critical business
processes for protection of the security of electronic protected health
information while operating in emergency mode.
Covered Entities must also have certain physical safeguards, such as facility
access controls. They must:
Implement policies and procedures to limit physical access to its electronic
information systems and the facility or facilities in which they are housed,
while ensuring that properly authorized access is allowed (Physical
Safeguards -§164.310(a)(1)).
The contingency operations should establish (and implement as needed)
procedures that allow facility access in support of restoration of lost data
under the disaster recovery plan and emergency mode operations plan in the
event of an emergency (§164.310(a)(2)(i)).
In addition, Covered Entities must implement certain technical safeguards
(§164.312) to, among other things:
Limit access to and electronic protected health information.
Encrypt and decrypt electronic protected health information.
Put into place audit controls that record and examine activity in
information systems that contain or use electronic protected health
Implement technical security measures to guard against unauthorized
access to electronic protected health information that is being transmitted
over an electronic communications network.
Office Backup Solutions OBS
HIPAA Compliance and OBS Online Backup
OBS online backup can help your health organization meet HIPAA compliance
requirements, specifically those of the Security Rule.
© 2006 GMx Solutions, LLC. All rights reserved.
Powered by GMx Technologies, Inc.
Phone: 813-868-1105
OBS, from GMx Solutions, is a secure online backup service that automates the
process of backing up electronic data. OBS was created with healthcare providers
in mind, to satisfy the broad need for an easy to use, automated and secure
method of backing up data offsite.
The goal of OBS was to design a cost-effective backup service that could be used
by anyone regardless of computer expertise. We listened to our customers so that
we can provide a solution that meets their expectations. OBS provides most of the
functionality and features of backup systems used by Fortune 500 companies.
However the key is that it is easy to use and does not require office staff time. OBS
provides a backup solution that is effortless to setup, easy to use, completely
automatic and most importantly, secure and reliable.
OBS Security and Encryption
All data, including patient and billing records, is encrypted before it leaves the
customer’s computer(s) and is never accessible without the customer’s encryption
key. This encryption key only known by the medical office and is never transmitted
over the Internet nor is it stored on GMx Solutions' servers. Only the customer has
access to the data in their files, thus eliminating the threat of unauthorized access.
GMx Solutions, even if the customer’s requests, cannot access the data in the
Each file is individually encrypted using a unique 256 bit encryption key, easily
software generated by the customer. OBS uses 256-bit Advanced Encryption
Standard (AES) encryption technology. AES encryption was developed by the U.S.
National Institute of Standards and Technology (NIST) and is now the state-of-theart standard encryption technique for both commercial and government
applications. Moreover, in June 2003, 128-AES was approved by the United
State's National Security Agency (NSA) for use encrypting the U.S. government's
documents classified "TOP SECRET." We use 256-bit AES encryption technology.
Another way to put it is that 256 bit encryption has 1.1 x 1077 possible 256-bit keys
combinations to crack it. Assuming that one could build a machine that could
recover a 128 bit AES key in a second (i.e., try 255 keys per second), then it would
take that machine approximately 149 thousand-billion (149 trillion) years to crack a
just a 128-bit AES key. To put that into perspective, the universe is believed to be
less than 20 billion years old. Source the National Technical Information Service
(NTIS) www.ntis.gov.
For added security, and to meet the Security Rule's transmission requirements,
each encrypted file is then sent securely over the Internet. It is encrypted at all
times using the 256-bit AES encryption while it is being sent over the Internet, to
and from the GMx Solutions servers.
© 2006 GMx Solutions, LLC. All rights reserved.
Powered by GMx Technologies, Inc.
Phone: 813-868-1105
Further, all user data is sent to and stored in two redundant secure data centers,
located 2,000 miles apart. Each data center has 24/7 onsite monitoring, advanced
security technology, backup generators and redundant connections to the Internet.
OBS Logging and Archiving
The process is controlled and monitored at each stage of the daily backup.
stages the process are:
1. Locate all of the data files to be backed up
2. Encrypt, compress, and store them in a local holding area
3. Securely transmit the data is copied to the OBS offsite backup server.
If all items are done successfully, then our dashboard has a green light for your
account. By monitoring each stage of the process we can provide you a quick
resolution if there is ever is a problem. If any stage fails, a trouble ticket is created
with our helpdesk, and the customer is informed.
Backup are normally processed during your off-hours, usually between 6 PM and 6
AM (based on your local time), however this is completely customizable. As an
added service we can help resolve problems for you. Problems that are a result of a
change on your system that are likely to cause delays getting your office started the
next morning can be remotely addressed. If the software you use some of the
standards that we are familiar with our staff can detect and repair the cause of these
problems and can either repair or give you guidance that will get you back on line
much quicker than your software provider can.
Many laws and regulations require long term data retention. OBS can
accommodate any retention period the customer may require. Since the data is
compressed during the encryption phase, the long-term data storage is economical.
In addition, many vendors charge for data storage at the uncompressed rate. OBS
saves you even more by only charging for stored files that have changed since the
last backup!
For further HIPAA compliance, CDs and DVDs of data are available for additional
long-term archiving1.
Backing Up and Restoring with OBS
Backups are automated, eliminating the need for manual data handling. Backups
Additional fees may apply.
© 2006 GMx Solutions, LLC. All rights reserved.
Powered by GMx Technologies, Inc.
Phone: 813-868-1105
will begin automatically according to each backup set's schedule, as long as the
computer is on and functioning properly. Backups can also be initiated by the user
at any time.
Restores are performed by selecting the date to restore your files from via our
customer access website, and then retrieving the files via your local GUI application
which contains your unique decryption key.
As desired, or for more significant restore operations, such a system failure, OBS
technicians are available to assist.
OBS Feature and Benefits Summary
¾ Automated, unattended data backups with built-in notifications.
¾ Ultimate data security via 256-AES bit encryption – data is ALWAYS
compressed and encrypted during transmission and storage.
¾ Restricted password access – a secret encryption key can be specified for
ultimate security, even OBS can not access your data.
¾ Off-site storage at secured data centers.
¾ Data is mirrored to secondary secure facilities for ultimate data availability .
¾ Extended storage is available.
¾ On-demand, exact copy data retrieval - 24x7x365.
¾ Optional monthly, quarterly, or annual CD or DVD archives are available.
¾ Our technology often detects problems before you do.
Some Customer Quotes:
“Office Backup Solutions has saved us 2 hours or more every time our software
provider makes a major change which is more often than we can afford.” Hudson
Florida Customer with 10 users.
“The service you provide your customer is essential for good backup practices.
However the help you have provided us by isolating and defining the customer’s
problem saves us a lot of time too.” A major medical software provider.
A Tampa Property Management Company with 22 employees. “We spent
thousands on backup hardware, software and tapes. What we found out is that our
backups were failing more than 75% of the time. Worse we did not have the in© 2006 GMx Solutions, LLC. All rights reserved.
Powered by GMx Technologies, Inc.
Phone: 813-868-1105
house expertise to restore the data. We sold our equipment on E-bay which will pay
the first two years of our OBS service. Better yet, I sleep better knowing that we
have OBS on call whenever we need them.”
“My office staff was spending close to two hours a day of extra time doing the
backups. Plus we had no assurance that the data was available if we needed it.
Nor was it really secure. Thanks OBS.” A Clearwater Florida General Practice
Medical Office.
If you or your staff is so inclined, they can see if the backup was successfully
completed. You can also elect to receive a confirmation e-mail or just let us monitor
that all designated files are backed up
For more information about OBS, please visit our website or
contact us
GMx Solutions, LLC
13176 N. Dale Mabry Highway
Suite 421
Tampa Florida, 33618
Phone 813-868-1105
Please note that nothing in this White Paper is intended to constitute legal
advice. For more information about HIPAA and compliance with HIPAA
requirements, please consult your legal counsel.
© 2006 GMx Solutions, LLC. All rights reserved.
Powered by GMx Technologies, Inc.
Phone: 813-868-1105
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF